Advanced API Security

4,021 views

Published on

Advanced API Security

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total views
4,021
On SlideShare
0
From Embeds
0
Number of Embeds
2,161
Actions
Shares
0
Downloads
0
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Advanced API Security

  1. 1. Advanced API Security Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE Prabath Siriwardena
  2. 2. Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE Copyright © 2014 by Prabath Siriwardena This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. ISBN-13 (pbk): 978-1-4302-6818-5 ISBN-13 (electronic): 978-1-4302-6817-8 Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Publisher: Heinz Weinheimer Lead Editor: Robert Hutchinson Developmental Editor: Gary Schwartz Technical Reviewer: Michael Peacock Editorial Board: Steve Anglin, Mark Beckner, Ewan Buckingham, Gary Cornell, Louise Corrigan, James DeWolf, Jonathan Gennick, Robert Hutchinson, Michelle Lowman, James Markham, Matthew Moodie, Jeff Olson, Jeffrey Pepper, Douglas Pundick, Ben Renow-Clarke, Dominic Shakeshaft, Gwenan Spearing, Matt Wade, Steve Weiss Coordinating Editor: Rita Fernando Copy Editor: Tiffany Taylor Compositor: SPi Global Indexer: SPi Global Cover Designer: Anna Ishchenko Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation. For information on translations, please e-mail rights@apress.com, or visit www.apress.com. Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook Licensing web page at www.apress.com/bulk-sales. Any source code or other supplementary materials referenced by the author in this text is available to readers at www.apress.com. For detailed information about how to locate your book’s source code, go to www.apress.com/source-code/.
  3. 3. This book is dedicated to two great ladies: my mother and my wife.
  4. 4. v Contents at a Glance About the Author ...............................................................................................................xiii About the Technical Reviewer ............................................................................................xv Acknowledgments............................................................................................................xvii Introduction.......................................................................................................................xix Chapter 1: Managed APIs■ ..................................................................................................1 Chapter 2: Security by Design■ .........................................................................................11 Chapter 3: HTTP Basic/Digest Authentication■ .................................................................33 Chapter 4: Mutual Authentication with TLS■ .....................................................................47 Chapter 5: Identity Delegation■ .........................................................................................59 Chapter 6: OAuth 1.0■ .......................................................................................................75 Chapter 7: OAuth 2.0■ .......................................................................................................91 Chapter 8: OAuth 2.0 MAC Token Profile■ ........................................................................133 Chapter 9: OAuth 2.0 Profiles■ ........................................................................................143 Chapter 10: User Managed Access (UMA)■ .....................................................................155 Chapter 11: Federation■ ..................................................................................................171 Chapter 12: OpenID Connect■ ..........................................................................................181 Chapter 13: JWT, JWS, and JWE■ ....................................................................................201 Chapter 14: Patterns and Practices■ ...............................................................................221 Index.................................................................................................................................231
  5. 5. vii Contents About the Author ...............................................................................................................xiii About the Technical Reviewer ............................................................................................xv Acknowledgments............................................................................................................xvii Introduction.......................................................................................................................xix Chapter 1: Managed APIs■ ..................................................................................................1 The API Evolution...........................................................................................................................1 API vs. Managed API......................................................................................................................3 API vs. Service...............................................................................................................................4 Discovering and Describing APIs...................................................................................................5 Managed APIs in Practice..............................................................................................................6 Twitter API..............................................................................................................................................................6 Salesforce API........................................................................................................................................................8 Summary.....................................................................................................................................10 Chapter 2: Security by Design■ .........................................................................................11 Design Challenges.......................................................................................................................11 User Comfort........................................................................................................................................................11 Design Principles.........................................................................................................................13 Least Privilege.....................................................................................................................................................13 Fail-Safe Defaults................................................................................................................................................13 Economy of Mechanism ......................................................................................................................................13 Complete Mediation.............................................................................................................................................14 Open Design ........................................................................................................................................................14 Separation of Privilege ........................................................................................................................................14
  6. 6. ■ CONTENTS viii Least Common Mechanism .................................................................................................................................14 Psychological Acceptability .................................................................................................................................14 Confidentiality, Integrity, Availability (CIA)....................................................................................14 Confidentiality......................................................................................................................................................14 Integrity ...............................................................................................................................................................16 Availability ...........................................................................................................................................................16 Security Controls.........................................................................................................................17 Authentication .....................................................................................................................................................18 Authorization .......................................................................................................................................................19 Nonrepudiation....................................................................................................................................................21 Auditing ...............................................................................................................................................................21 Security Patterns.........................................................................................................................22 Direct Authentication Pattern ..............................................................................................................................22 Sealed Green Zone Pattern..................................................................................................................................25 Least Common Mechanism Pattern.....................................................................................................................26 Brokered Authentication Pattern .........................................................................................................................26 Policy-Based Access Control Pattern...................................................................................................................27 Threat Modeling ..........................................................................................................................29 Summary.....................................................................................................................................31 Chapter 3: HTTP Basic/Digest Authentication■ .................................................................33 HTTP Basic Authentication ..........................................................................................................33 HTTP Digest Authentication.........................................................................................................34 Summary.....................................................................................................................................46 Chapter 4: Mutual Authentication with TLS■ .....................................................................47 Evolution of TLS...........................................................................................................................47 How TLS Works............................................................................................................................48 TLS Handshake ...........................................................................................................................48 Application Data Transfer ............................................................................................................51 Summary.....................................................................................................................................58
  7. 7. ■ CONTENTS ix Chapter 5: Identity Delegation■ .........................................................................................59 Direct Delegation vs. Brokered Delegation..................................................................................59 Evolution of Identity Delegation...................................................................................................60 Google ClientLogin...............................................................................................................................................62 Google AuthSub ...................................................................................................................................................65 Flickr Authentication API......................................................................................................................................67 Yahoo! Browser-Based Authentication (BBAuth) .................................................................................................70 Summary.....................................................................................................................................73 Chapter 6: OAuth 1.0■ .......................................................................................................75 The Token Dance.........................................................................................................................75 Temporary-Credential Request Phase.................................................................................................................76 Resource-Owner Authorization Phase.................................................................................................................78 Token-Credential Request Phase.........................................................................................................................79 Invoking a Secured Business API with OAuth 1.0................................................................................................80 Demystifying oauth_signature ....................................................................................................80 Three-Legged OAuth vs. Two-Legged OAuth...............................................................................88 OAuth WRAP ................................................................................................................................89 Summary.....................................................................................................................................90 Chapter 7: OAuth 2.0■ .......................................................................................................91 OAuth WRAP ................................................................................................................................91 Client Account and Password Profile...................................................................................................................92 Assertion Profile ..................................................................................................................................................92 Username and Password Profile .........................................................................................................................93 Web App Profile ...................................................................................................................................................93 Rich App Profile ...................................................................................................................................................94 Accessing a WRAP-Protected API................................................................................................95 WRAP to OAuth 2.0......................................................................................................................95 OAuth 2.0 Grant Types.................................................................................................................95 Authorization Code Grant Type.............................................................................................................................96 Implicit Grant Type...............................................................................................................................................98
  8. 8. ■ CONTENTS x Resource Owner Password Credentials Grant Type...........................................................................................100 Client Credentials Grant Type.............................................................................................................................101 OAuth 2.0 Token Types ..............................................................................................................102 OAuth 2.0 Bearer Token Profile..........................................................................................................................102 OAuth 2.0 Client Types...............................................................................................................103 OAuth 2.0 and Facebook ...........................................................................................................109 OAuth 2.0 and LinkedIn .............................................................................................................116 OAuth 2.0 and Salesforce..........................................................................................................119 OAuth 2.0 and Google................................................................................................................124 Authentication vs. Authorization................................................................................................131 Summary...................................................................................................................................132 Chapter 8: OAuth 2.0 MAC Token Profile■ ........................................................................133 Bearer Token vs. MAC Token .....................................................................................................134 Obtaining a MAC Token .............................................................................................................135 Invoking an API Protected with the OAuth 2.0 MAC Token Profile.............................................138 Calculating the MAC..................................................................................................................138 MAC Validation by the Resource Server....................................................................................140 OAuth Grant Types and the MAC Token Profile ..........................................................................141 OAuth 1.0 vs. OAuth 2.0 MAC Token Profile...............................................................................141 Summary...................................................................................................................................142 Chapter 9: OAuth 2.0 Profiles■ ........................................................................................143 Token Introspection Profile........................................................................................................143 XACML and OAuth Token Introspection..............................................................................................................146 Chain Grant Type Profile............................................................................................................149 Dynamic Client Registration Profile...........................................................................................150 Token Revocation Profile...........................................................................................................152 Summary...................................................................................................................................153
  9. 9. ■ CONTENTS xi Chapter 10: User Managed Access (UMA)■ .....................................................................155 ProtectServe..............................................................................................................................155 UMA and OAuth..................................................................................................................................................160 UMA Architecture ......................................................................................................................161 UMA Phases ..............................................................................................................................161 UMA Phase 1: Protecting a Resource ................................................................................................................161 UMA Phase 2: Getting Authorization..................................................................................................................164 UMA Phase 3: Accessing the Protected Resource.............................................................................................168 UMA APIs...................................................................................................................................168 Protection API ....................................................................................................................................................169 Authorization API ...............................................................................................................................................170 The Role of UMA in API Security................................................................................................170 Summary...................................................................................................................................170 Chapter 11: Federation■ ..................................................................................................171 Enabling Federation ..................................................................................................................171 Brokered Authentication............................................................................................................171 SAML 2.0 Profile for OAuth: Client Authentication.....................................................................173 SAML 2.0 Profile for OAuth: Grant Type .....................................................................................176 JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants................................180 Summary...................................................................................................................................180 Chapter 12: OpenID Connect■ ..........................................................................................181 A Brief History of OpenID Connect.............................................................................................181 Understanding OpenID Connect ................................................................................................184 Anatomy of the ID Token....................................................................................................................................184 OpenID Connect Request...................................................................................................................................187 Requesting User Attributes................................................................................................................................189 Grant Types for OpenID Connect........................................................................................................................191 Requesting Custom User Attributes...................................................................................................................191 OpenID Connect Discovery ................................................................................................................................194
  10. 10. ■ CONTENTS xii OpenID Connect Identity Provider Metadata......................................................................................................196 OpenID Connect Dynamic Client Registration....................................................................................................197 OpenID Connect for Securing APIs.....................................................................................................................199 Summary...................................................................................................................................200 Chapter 13: JWT, JWS, and JWE■ ....................................................................................201 JSON Web Token .......................................................................................................................201 JOSE Working Group .................................................................................................................205 JSON Web Signature .................................................................................................................206 Signature Algorithms.........................................................................................................................................207 Serialization.......................................................................................................................................................208 JSON Web Encryption................................................................................................................213 Content Encryption vs. Key Wrapping................................................................................................................215 Serialization.......................................................................................................................................................215 Summary...................................................................................................................................220 Chapter 14: Patterns and Practices■ ...............................................................................221 Direct Authentication with the Trusted Subsystem Pattern.......................................................221 Single Sign-On with the Delegated Access Control Pattern......................................................222 Single Sign-On with the Integrated Windows Authentication Pattern.......................................223 Identity Proxy with the Delegated Access Control Pattern........................................................223 Delegated Access Control with the JSON Web Token Pattern...................................................224 Nonrepudiation with the JSON Web Signature Pattern .............................................................225 Chained Access Delegation Pattern ..........................................................................................226 Trusted Master Access Delegation Pattern ...............................................................................227 Resource Security Token Service (STS) with the Delegated Access Control Pattern ................228 Delegated Access Control with the Hidden Credentials Pattern................................................229 Summary...................................................................................................................................230 Index.................................................................................................................................231
  11. 11. xiii About the Author Prabath Siriwardena is the Director of Security Architecture at WSO2 Inc., a company that produces a wide variety of open source software from data to screen. He is a member of the OASIS Identity Metasystem Interoperability (IMI) TC, OASIS eXtensible Access Control Markup Language (XACML) TC, OASIS Security Services (SAML) TC, OASIS Identity in the Cloud TC, and OASIS Cloud Authorization (CloudAuthZ) TC. Prabath is also a member of Apache Axis PMC and has spoken at numerous international conferences including OSCON, ApacheCon, WSO2Con, the European Identity Conference (EIC), IDentity Next, the API Strategy Conference, and OSDC. He has more than ten years of industry experience and has worked with many Fortune 100 companies. Advanced API Security is his second book. His first book was Enterprise Integration with WSO2 ESB (Packt Publishing, 2013).
  12. 12. xv About the Technical Reviewer Michael Peacock is an experienced software developer and team lead from Newcastle, UK. Michael holds a degree in software engineering from the University of Durham. After spending a number of years running his own web agency and subsequently working directly for a number of software startups, Michael now serves as a technical consultant for a range of companies, helping with application development, software processes, and technical direction. He is the author of Creating Development Environments with Vagrant, PHP 5 Social Networking, PHP 5 E-Commerce Development, Drupal 7 Social Networking, Selling online with Drupal e-Commerce, and Building Websites with TYPO3. Michael has been involved with other publications including Mobile Web Development, Jenkins Continuous Integration Cookbook, and Drupal for Education and E-Learning, on which he served as a technical reviewer. Michael has presented at a number of user groups and technical conferences including the PHP UK Conference, the Dutch PHP Conference, ConFoo, PHPNE, PHPNW, and Could Connect Santa Clara. You can follow Michael on Twitter (@michaelpeacock) or find out more about him through his web site (www.michaelpeacock.co.uk).
  13. 13. xvii Acknowledgments I would first like to thank Jonathan Hassel, senior editor at Apress, for evaluating and accepting my proposal for this book. Then, of course, I must thank Rita Fernando, coordinating editor at Apress, who was extremely patient and tolerant of me throughout the publishing process. Thank you very much Rita for your excellent support—I really appreciate it. Also, Gary Schwartz and Tiffany Taylor did an amazing job reviewing the manuscript—many thanks, Gary and Tiffany! Michael Peacock served as technical reviewer—thanks, Michael, for your quality review comments, which were extremely useful. Thilina Buddhika from Colorado State University also helped in reviewing the first two chapters of the book—many thanks, again, Thilina! Dr. Sanjiva Weerawarana, the CEO of WSO2, and Paul Fremantle, the CTO of WSO2, are two constant mentors for me. I am truly grateful to both Dr. Sanjiva and Paul for everything they have done for me. I also must express my gratitude to Asanka Abeysinghe, the Vice President of Solutions Architecture at WSO2 and a good friend of mine—we have done designs for many Fortune 500 companies together, and those were extremely useful in writing this book. Thanks, Asanka! Of course, my beloved wife, Pavithra, and my little daughter, Dinadi, supported me throughout this process. Pavithra wanted me to write this book even more than I wanted to write it. If I say she is the driving force behind this book, it’s no exaggeration. She simply went beyond just feeding me with encouragement—she also helped immensely in reviewing the book and developing samples. She was always the first reader. Thank you very much, Pavithra. My parents and my sister have been the driving force behind me since my birth. If not for them, I wouldn’t be who I am today. I am grateful to them for everything they have done for me. Last but not least, my wife’s parents—they were amazingly helpful in making sure that the only thing I had to do was to write this book, taking care of almost all the other things that I was supposed to do. The point is that although writing a book may sound like a one-man effort, it’s the entire team behind it who makes it a reality. Thank you to everyone who supported me in many different ways.
  14. 14. xix Introduction APIs are becoming increasingly popular for exposing business functionalities to the rest of the world. According to an infographic published by Layer 7, 86.5% of organizations will have an API program in place in the next five years. Of those, 43.2% already have one. APIs are also the foundation of building communication channels in the Internet of Things (IoT). From motor vehicles to kitchen appliances, countless items are beginning to communicate with each other via APIs. Cisco estimates that as many as 50 billion devices could be connected to the Internet by 2020. This book is about securing your most important APIs. As is the case with any software system design, people tend to ignore the security element during the API design phase. Only at deployment or at the time of integration do they start to address security. Security should never be an afterthought—it’s an integral part of any software system design, and it should be well thought out from the design’s inception. One objective of this book is to educate you about the need for security and the available options for securing an API. The book also guides you through the process and shares best practices for designing APIs for rock-solid security. API security has evolved a lot in the last five years. The growth of standards has been exponential. OAuth 2.0 is the most widely adopted standard. But it’s more than just a standard—it’s a framework that lets people build standards on top of it. The book explains in depth how to secure APIs, from traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it, such as OpenID Connect, User Managed Access (UMA), and many more. JSON plays a major role in API communication. Most of the APIs developed today support only JSON, not XML. This book also focuses on JSON security. JSON Web Encryption (JWE) and JSON Web Signature (JWS) are two increasingly popular standards for securing JSON messages. The latter part of this book covers JWE and JWS in detail. Another major objective of this book is to not just present concepts and theories, but also explain each of them with concrete examples. The book presents a comprehensive set of examples that work with APIs from Google, Twitter, Facebook, Yahoo!, Salesforce, Flickr, and GitHub. The evolution of API security is another topic covered in the book. It’s extremely useful to understand how security protocols were designed in the past and how the drawbacks discovered in them pushed us to where we are today. The book covers some older security protocols such as Flickr Authentication, Yahoo! BBAuth, Google AuthSub, Google ClientLogin, and ProtectServe in detail. I hope this book effectively covers this much-needed subject matter for API developers, and I hope you enjoy reading it.

×